195
Configuring IEEE 802.1x Port-Based Authentication
Information About Configuring IEEE 802.1x Port-Based Authentication
Per-User ACLs and Filter-Ids
Support was added for MDA- and multiauth-enabled ports. In 12.2(52)SE and later, support was added for ports in
multihost mode.
An ACL configured on the switch is not compatible with an ACL configured on another device running Cisco IOS
software, such as a Catalyst 6500 switch.
The ACLs configured on the switch are compatible with other devices running the Cisco IOS release.
Note: You can only set any as the source in the ACL.
Note: For any ACL configured for multiple-host mode, the source portion of statement must be any. (For example,
permit icmp any host 10.10.1.1.)
You must specify any in the source ports of any defined ACL. Otherwise, the ACL cannot be applied and authorization
fails. Single host is the only exception to support backward compatibility.
More than one host can be authenticated on MDA- enabled and multiauth ports. The ACL policy applied for one host
does not effect the traffic of another host.
If only one host is authenticated on a multihost port, and the other hosts gain network access without authentication, the
ACL policy for the first host can be applied to the other connected hosts by specifying any in the source address.
Authentication Manager CLI Commands
The authentication-manager interface-configuration commands control all the authentication methods, such as 802.1x,
MAC authentication bypass, and web authentication. The authentication manager commands determine the priority and
order of authentication methods applied to a connected host.
The authentication manager commands control generic authentication features, such as host-mode, violation mode, and
the authentication timer. Generic authentication commands include the authentication host-mode, authentication
violation, and authentication timer interface configuration commands.
802.1x-specific commands begin with the dot1x or authentication keyword. For example, the authentication
port-control auto interface configuration command enables authentication on an interface. However, the dot1x
system-authentication control global configuration command only globally enables or disables 802.1x authentication.
Note: If 802.1x authentication is globally disabled, other authentication methods are still enabled on that port, such as
web authentication.
You can filter out verbose system messages generated by the authentication manager. The filtered content typically
relates to authentication success. You can also filter verbose messages for 802.1x authentication and MAB
authentication. There is a separate command for each authentication method:
The no authentication logging verbose global configuration command filters verbose messages from the
authentication manager.
The no dot1x logging verbose global configuration command filters 802.1x authentication verbose messages.
The no mab logging verbose global configuration command filters MAC authentication bypass (MAB) verbose
messages
Ports in Authorized and Unauthorized States
During 802.1x authentication, depending on the switch port state, the switch can grant a client access to the network.
The port starts in the unauthorized state. While in this state, the port that is not configured as a voice VLAN port disallows
all ingress and egress traffic except for 802.1x authentication, CDP, and STP packets. When a client is successfully
To Next Page
Loading...
Need help?
General
